Bug 44205 - read from pointer after free src/mesa/drivers/dri/intel/intel_mipmap_tree.c
Summary: read from pointer after free src/mesa/drivers/dri/intel/intel_mipmap_tree.c
Status: RESOLVED FIXED
Alias: None
Product: Mesa
Classification: Unclassified
Component: Drivers/DRI/i965 (show other bugs)
Version: git
Hardware: Other All
: medium normal
Assignee: Anuj Phogat
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-12-28 00:12 UTC by Vinson Lee
Modified: 2012-01-04 11:34 UTC (History)
0 users

See Also:
i915 platform:
i915 features:

Attachments

Description Vinson Lee 2011-12-28 00:12:52 UTC 
mesa: b50d250e02457f367c195ee1808b061e0dfe2d00 (master)

Coverity reports a read from pointer after free defect in the following code.

src/mesa/drivers/dri/intel/intel_mipmap_tree.c
   639     for (i = mt->hiz_map.next; i; i = i->next) {
   640        if (i->need != need)
   641           continue;
   642        func(intel, mt, i->level, i->layer);
   643        intel_resolve_map_remove(i);
   644        did_resolve = true;
   645     }

"intel_resolve_map_remove" frees "i"
Dereferencing freed pointer "i"
Comment 1 Anuj Phogat 2012-01-03 17:57:24 UTC 
This patch should resolve this issue reported in coverity:

--- a/src/mesa/drivers/dri/intel/intel_mipmap_tree.c
+++ b/src/mesa/drivers/dri/intel/intel_mipmap_tree.c
@@ -640,12 +640,13 @@ intel_miptree_all_slices_resolve(struct intel_context *intel,
                                 resolve_func_t func)
 {
    bool did_resolve = false;
-   struct intel_resolve_map *i;
+   struct intel_resolve_map *i, *next;
 
-   for (i = mt->hiz_map.next; i; i = i->next) {
+   for (i = mt->hiz_map.next; i; i = next) {
       if (i->need != need)
         continue;
       func(intel, mt, i->level, i->layer);
+      next = i->next;
       intel_resolve_map_remove(i);
       did_resolve = true;
    }
Comment 2 Anuj Phogat 2012-01-04 11:34:39 UTC 
This issue is resolved by below commit on mesa (master):

commit 0ed11e333147e280208d9d0b3ff3f39970547643
Author: Anuj Phogat <anuj.phogat@gmail.com>
Date:   Tue Jan 3 18:12:06 2012 -0800

    Fix read from pointer after free
    
    Coverity reported a read from pointer after free defect in
    src/mesa/drivers/dri/intel/intel_mipmap_tree.c. Bug# 44205
    In intel_miptree_all_slices_resolve() function, i = i->next was
    executing after freeing i. I have defined a temporary variable
    (next) to store the value of i->next before freeing i
    
    Reported-by: Vinson Lee <vlee@vmware.com>
    Signed-off-by: Anuj Phogat <anuj.phogat@gmail.com>
    Reviewed-by: Eric Anholt <eric@anholt.net>

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.